Out-Law News 2 min. read
05 May 2011, 12:57 pm
The 9th US Circuit Court of Appeals in San Francisco said existing laws made it a crime to act against an employer's restrictions on computer use for fraudulent purposes, as long as the employer has made those limits clear to its staff.
The court reinstated charges against David Nosal, a former manager with recruitment agency Korn/Ferry International. Prosecutors claimed that Nosal had enlisted three current employees to obtain client lists and other confidential information to help him start his own business after resigning from the firm in 2004.
A federal judge ruled last year that Nosal could not have violated the Computer Fraud and Abuse Act (CFAA), as his alleged co-conspirators had full access to the computer system.
But the appeals court said an employee could go against the law's ban on "exceeding authorised access" to a company computer by knowingly breaching company use restrictions.
"As long as the employee has knowledge of the employer's limitations on that authorisation, the employee 'exceeds authorised access' when the employee violated those limitations. It is a simple as that," said Judge Stephen Trott in the majority decision (21-page / 93KB PDF).
He referred to the "clear and conspicuous" restrictions that Korn/Ferry placed on the use of data, both from the system in general and the client database in particular.
The CFAA was designed to deal with malicious computer hacking, and allows the US Government to prosecute hackers who access computers to steal information or to disrupt or destroy computer functionality.
It states than unauthorised access can mean "to access a computer with authorisation and to use such access to obtain or alter information in the computer than the accesser is not entitled to obtain or alter".
A criminal offence is committed when such access occurs "knowingly and with intent to defraud" the owner of that computer.
Judge Trott insisted that the court was not reading the law too broadly.
"We do not dismiss lightly Nosal's argument that our decision will make criminals out of millions of employees who might use their work computers for personal use, for example to access their personal email accounts or to check the latest college basketball scores," he said in the ruling.
"We are persuaded that the specific intent and causation requirements [of the CFAA] sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal – but innocuous – reasons."
Judge Tena Campbell disagreed with the majority's interpretation, arguing that it would apply to another section of the same law that does not require proof of fraudulent intent.
She said that the ruling would allow employers to prosecute "any person who obtains information from any computer connected to the internet, in violation of her employer's computer use restrictions."
In a similar case in 2009, the same court ruled that employees would not be liable under the law for accessing their employers' computers for "disloyal" purposes. However, Judge Trott pointed out that the absence of access restrictions in the previous case was a "substantial factual difference".
